John Maher wrote:
Marc Schwartz wrote:
I see that you have moved to FC5, whereas we started the original thread
on FC4. I presume you figured that this would be a good time to update,
as indeed it is.
Actually, I started experimenting with cryptsetup on my laptop (FC4),
but when it came time to do some serious messing around, I deployed an
old Pentium II-mmx 300 MHz box, and installed FC5 fresh.
Ah...OK.
I'm actually re-installing FC5 on the PII box to test my instructions
again. Once I'm convinced that they are dependable, I'll subject my
laptop the HOWTO.
Speaking of dependable, do you know why udev would fail on boot after I
made the changes in the HOWTO? If I keep rebooting, udev eventually
works, but it's irritating and odd.
Not sure off hand. Have you run a full 'yum update' after the installation?
There have been loads of updates, including kernels, since FC5 was
released. It is possible that it is a bug in udev or even HAL of sorts,
which may have been patched.
If that does not help, you might want to try posting to the FC user list
to see if someone else has some thoughts or a recommendation to file a
bug report at bugzilla.redhat.com.
One other thought, which seems ironic, would be an issue with SELinux
policies. These were changed notably in FC5 and there have been many
policy updates since release as well. It may be that there is some issue
with dm-crypt/LUKS + LVM2 that is flaky as a result of a policy issue.
After all updates have been installed, if the problem persists, you
might want to try the process with SELinux temporarily disabled to see
if that helps.
One of the reasons that I have not updated to FC5 yet myself, is that I
need to do some re-partitioning when I do, and I just have not had the
time to go through the process, not only the re-installation, but
encrypting the new partitions. It's a full day process (including the
random writing of data), by the time I get everything re-installed and
all the system configuration settings back in order.
I do hope to get to it soon.
A couple of thoughts:
1. Unless I am going blind in my middle age, I did not see a step in
your HOWTO about prefilling the disk partition with random data. This is
Step 1a/b in WOS's wiki entry. Is there a complication when using LVM2
in terms of doing this or is this a missing critical step (perhaps with
some differences in process) in the sequence?
No, I'm not aware of a LVM2 complication. I left it out in error. I
believe the reason for my omission is that when I first embarked on this
project I didn't know what was required to get the job done, and I think
I believed that filling the partition with random data would present
problems with retaining my original /home environment. I see the error
of my way, and will modify the HOWTO to suggest the inclusion of those
steps.
OK. It would be a very good thing to do. If someone gets physical
access to your drive, it further obfuscates where your actual data is
versus where there is simply empty space.
In an ideal world, the encrypted data should appear as a random pattern
with a very long period. The same for the underlying random data.
Thus, you are making it more difficult for the prospective attacker to
discern the difference.
2. You should give serious consideration to posting this process on the
wiki, where it is likely to get more visibility and be easier to access,
especially when using Google searches. You might even want to post a
note about it with a link on the FC lists where you will likely make
many people smile. :-)
Good to know where great visibility is likely. I'll definitely post the
HOWTO on the wiki.
Great. I look forward to the update when you are ready.
Great work!
Thank you.
Welcome.
Regards,
Marc
---------------------------------------------------------------------
- http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx
